bvstone

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

Posted:

SSL Handshake Errors with GETURI, MAILTOOL and GreenTools Products

UPDATE: IBM Has Issued PTFs That May Solve This Issue:

The following PTFs have been issued that should solve this issue.  The previously listed PTFs didn't seem to solve the issue.  But as of 2/10/2022 these have been tested by myself and seem to work:

7.3 - MF69527
7.4 - MF69523

SSL/TLS Handshake Errors

Recently IBM i users (and myself) that use applications that communicate over SSL/TLS with sockets (such as GETURI, MAILTOOL, G4G, G4MS, HTTPAPI, etc) have run into some communication issues.  The two errors errors in question are:

  • Error performing SSL Handshake.  RC(-11) or RC(-16) PeerCertRC(0) - For the base IBM SSL APIs

  • Error performing SSL handshake.  RC(415) errno(0) - When using the GSKit SSL APIs

This error is random and most of the time is resolved by making the request again.  We understand this solution isn't ideal and have been trying to work with IBM to find a proper solution.

I did open a case with IBM (as have others regarding the same issue) but we were unable to find the issue's main cause. Although with some trial and error we were able to find a couple solutions that did work for most endpoints for the time being.

I also started a conversation on Stack Overflow and have received one reply that may help us down the right path.  It makes sense if Google says a cipher isn't compatible that it would cause problems, but again I don't know why Google wouldn't just ignore that cipher as there are normally many more to choose from in the SSL handshake negotiation.

Solution 1: Remove *TLSV1.3 from system value QSSLPCL

This solution seemed to solve the problem for myself, although I didn't perform as many tests as the other options.  For some shops this is not an option for security reasons, but if it is, give it a try to see if it helps.  I don't know of any endpoints that require only TLS v1.3 at this time, but that may not be the case for you.

Solution 2: Remove Specific SSL Ciphers From System Value QSSLCSL

The following ciphers were removed the from the system cipher list (system value QSSLCSL) after changing system value QSSLCSLCTL to *USRDFN.

  • *ECDHE_RSA_AES_256_GCM_SHA384 -  this one seems to cause problems with Google/GMail and Microsoft/Office 365.

  • *AES_256_GCM_SHA384 - this one seems to cause problems with GoDaddy.  

Your situation may be a different cipher.  I have another customer now getting this error communicating with a server using a new Amazon root CA.  So, it's important to open a call with IBM when you have this problem so they can do a trace and hopefully find out which cipher may be an issue, or possibly find a real answer/solution to this problem.

No IPL is required after making any of these changes.       

After removing these ciphers from my system cipher list, all of the errors I was experiencing stopped.  In your case, it could be a different Cipher that is causing the problem depending on the endpoint that is having the issue.  Removing these ciphers should not cause any issues with other applications, and in fact on the Stack Overflow post I made someone actually commented that the one of the ciphers isn't compatible.

Final Actions:

Step 1: Contact IBM support and let them know you're having this issue.  The more people that contact them, the more they hopefully will be willing to dig deeper into the issue or issue a PTF that removes specific ciphers that seem to be causing the problem from the *OPSYS SSL cipher list for the QSSLCSLCTL system value.  I suspect that as time goes on more vendors, and even IBM themselves, will encounter this issue making it even more critical to fix.

Step 2: Try removing the specific ciphers from the SSL list mentioned above.  This completely resolved the issue for me.  I know that sometimes this type of thing can make you wonder if something else will break, but it is most likely what IBM will suggest as well.

Step 3: Make sure you have the latest version of MAILTOOL installed.  We have added a "retry" option to MAILTOOL if this specific error occurs.

Step 4: For GETURI, and the GreenTools products, you may need to add retries to your code as well when this specific error occurs.

Step 5:  If you learn any information that may help, I have opened a question on Stack Overflow that I am hoping if the right eyes see it, we'll get an answer.  If you have any friends at Google, Microsoft, or GoDaddy, myself and IBM are willing to work with them to figure out the issue.

Thank you, and we apologize for the inconvenience this issue may have caused.


 


Last edited 02/11/2022 at 07:55:58



Latest Posts:

BVSTools Software Verified on V7R5 and Power10 BVSTools Software Verified on V7R5 and Power10
Posted by 9 hours ago
BVSTools >> BVSTools Announcements
Microsoft Office 365 Servers and Random Errors Issue Microsoft Office 365 Servers and Random Errors Issue
Posted by November 14, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending/Resending Emails Using a MIME File with MAILTOOL Sending/Resending Emails Using a MIME File with MAILTOOL
Posted by November 8, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Sending an HTML Email on Your IBM i Using MAILTOOL Sending an HTML Email on Your IBM i Using MAILTOOL
Posted by November 1, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion
Transferring License Keys from One System to Another Transferring License Keys from One System to Another
Posted by October 31, 2022
BVSTools >> BVSTools Software Discussion
Calculating the Size of a File Before Base64 Encoding Calculating the Size of a File Before Base64 Encoding
Posted by August 13, 2022
Programming >> RPG Programming
GreenTools for Microsoft Apps (G4MS) v9.12 Now Includes Function to Send Emails using MIME File GreenTools for Microsoft Apps (G4MS) v9.12 Now Includes Function to Send Emails using MIME File
Posted by August 11, 2022
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
GreenTools for Google Apps (G4G) v15.20 Now Supports Shortcuts GreenTools for Google Apps (G4G) v15.20 Now Supports Shortcuts
Posted by August 6, 2022
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
GreenTools for Microsoft Apps (G4MS) Groups Admin Authority Instructions GreenTools for Microsoft Apps (G4MS) Groups Admin Authority Instructions
Posted by July 26, 2022
BVSTools >> BVSTools Software Discussion >> GreenTools for Microsoft Apps (G4MS) Specific Discussion
GreenTools for Microsoft Apps (G4MS) v9.10 Now Includes OneDrive Functions that Work With Groups/Shared Drives GreenTools for Microsoft Apps (G4MS) v9.10 Now Includes OneDrive Functions that Work With Groups/Shared Drives
Posted by July 19, 2022
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
GreenTools for Google Apps (G4G) v15.10 Now Includes Drive Functions that Work With Shared Drives GreenTools for Google Apps (G4G) v15.10 Now Includes Drive Functions that Work With Shared Drives
Posted by July 15, 2022
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
GreenTools for Microsoft Apps (G4MS) v9.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page GreenTools for Microsoft Apps (G4MS) v9.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page
Posted by July 4, 2022
BVSTools >> BVSTools Announcements >> GreenTools for Microsoft Apps (G4MS) Specific Announcements
What Objects Should I Omit from Replication to Ensure My License Keys Work on my HA/DR System? What Objects Should I Omit from Replication to Ensure My License Keys Work on my HA/DR System?
Posted by June 27, 2022
BVSTools >> BVSTools Software Discussion
GreenTools for Google Apps (G4G) v15.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page GreenTools for Google Apps (G4G) v15.00 Now Offers Functions to Bypass Registration Command and BVSTools Landing Page
Posted by May 3, 2022
BVSTools >> BVSTools Announcements >> GreenTools for G Suite (Google Apps) (G4G) Specific Announcements
How Do I Switch From MAILTOOL Plus to GreenTools for Google (OAuth 2.0) or Microsoft Office 365? How Do I Switch From MAILTOOL Plus to GreenTools for Google (OAuth 2.0) or Microsoft Office 365?
Posted by April 18, 2022
BVSTools >> BVSTools Software Discussion >> Email Tools (MAILTOOL) Specific Discussion

Reply




Copyright 1983-2020 BVSTools
GreenBoard(v3) Powered by the eRPG SDK, MAILTOOL Plus!, GreenTools for Google Apps, jQuery, jQuery UI, BlockUI, CKEditor and running on the IBM i (AKA AS/400, iSeries, System i).